Security

Reply
Regular Contributor I
Posts: 179
Registered: ‎12-17-2008

Service config for EAP-TLS with external certificate provider (MDM)

I've been unable to find this in any of the CP docs.

 

Assume I have MobileIron as an endpoint server and endpoints in the repository. Do I just need a single service with auth method EAP-TLS and auth source Endpoints Repository or is there more to it?

 

 

 


--
ACMA ACMP
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Service config for EAP-TLS with external certificate provider (MDM)

Did you look in the mom doc on the support site.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I
Posts: 179
Registered: ‎12-17-2008

Re: Service config for EAP-TLS with external certificate provider (MDM)

This one? TechNote_ClearPass_MDM_Integration_V2 

 

Yes, used it get CP and MDM talking, but no mention of the required service config.

 

 


--
ACMA ACMP
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Service config for EAP-TLS with external certificate provider (MDM)

Yes. OK I will post some example later tonight. I currently don't have access to my lab
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Service config for EAP-TLS with external certificate provider (MDM)

[ Edited ]

Here is an example of what I have running in my lab.

 

Couple things

  1.      I sync with my MobileIron server and get information about my devices.
  2.      You do not have to sync with your MDM but it gives you more flexibility.
  3.      You can set your services just like you would a normal TLS you just need to

     A. Add the root cert of the server that is signing the devices TLS cert
     B. Allow OCSP to the server that is signing the certs if the device will check to see if the cert is revoked or deleted

 

 4.    I'm only checking Employee and Staff users in AD devices for MDM that is why the Students are different.

 

5. In CPPM 6.4 you can even send a Message to the mobile deivice through you enforcement profile and it will send it to Mobileiron via clearpass exchange.

 

 Screen Shot 2014-09-04 at 10.14.51 PM.png

 

Service explanation

  1.      This will check to see if the cert will expire within the next week and send the user to the onboarding page or MDM
  2.      Looking at the information being pulled down from the MDM and seeing if it is Rooted or Jailbroken.
  3.      Same as 2 but seeing if I'm running an app that is not approved like games or separate email program.
  4.      Breakdown

     A. Is the user in the employee group in my AD
     B. Did the device authenticate with TLS
     C. Is it not a device that can be MDM managed (laptop, Desktop, ETC)

 

5.     Breakdown

    A. Is the user in the employee group in my AD
    B. Did the device authenticate with TLS
    C. Is the device Rooted or Jailbroken
    D. Is the device managed by MDM

 

 6.   Is it an employee in AD and isn’t managed by MDM or have a TLS cert

 7.   Same as 4 but for Staff Users in AD
 8.   Same as 5 but for Staff Users in AD
 9.   Same as 6 but for Staff Users in AD
 10. Is a student and authenticates with a TLS cert
 11. Same as 6 but for Students users in AD

 

 

 

Endpoint Screen Shot

 

Screen Shot 2014-09-04 at 10.29.28 PM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I
Posts: 179
Registered: ‎12-17-2008

Re: Service config for EAP-TLS with external certificate provider (MDM)

Thanks Troy, kudos for you.

Can you post your Authentication tab for this service?


--
ACMA ACMP
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Service config for EAP-TLS with external certificate provider (MDM)

Screen Shot 2014-09-04 at 11.06.33 PM.png

 

Screen Shot 2014-09-04 at 11.06.52 PM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I
Posts: 179
Registered: ‎12-17-2008

Re: Service config for EAP-TLS with external certificate provider (MDM)

So still a bit unsure of the minimum required auth source here.

Is it the Onboard Devices Repo? I assumed this was only use with Onboard not an an MDM.


--
ACMA ACMP
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Service config for EAP-TLS with external certificate provider (MDM)

you only need your AD to auth the user

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 48
Registered: ‎05-14-2012

Re: Service config for EAP-TLS with external certificate provider (MDM)

[ Edited ]

Troy,

 

Could you provide the screenshot for Employee-ExpireCert Profile please?

Search Airheads
Showing results for 
Search instead for 
Did you mean: